a SEH CONTEXT' Question [Archive] - RCE Messageboard's Regroupment

Limee AKA Lamer

August 26th, 2004, 04:06

typedef struct _CONTEXT {
ULONG ContextFlags;
~~~~~~~~~~~~~
is the ContextFlags a Constant?
ULONG Dr0_PAL_Undefined;
ULONG Dr1_PAL_Undefined;
ULONG Dr2_PAL_Undefined;
ULONG Dr3_PAL_Undefined;
ULONG Dr6_PAL_Undefined;
ULONG Dr7_PAL_Undefined;
// FLOATING_SAVE_AREA FloatSave;
......
LONG SegGs_PAL_Undefined;
ULONG SegFs_PAL_Undefined;
ULONG SegEs_PAL_Undefined;
ULONG SegDs_PAL_Undefined;

ULONG Edi;
ULONG Esi;
ULONG Ebx;
ULONG Edx;
ULONG Ecx;
ULONG Eax;

ULONG Ebp;
ULONG Eip;
ULONG SegCs;
ULONG EFlags;
ULONG Esp;
ULONG SegSs;
}

Neitsa

August 26th, 2004, 05:00

Hello,

Quote:

is the ContextFlags a Constant?

The ContextFlag lets you define what you want to read/write from the CONTEXT Structure with the GetThreadContext or SetThreadContext API's (If you use the CONTEXT struct with an SEH, this field is no use).

You can retrieve various CONTEXT fields while specifing a special value in ContextFlags.

Asm snippet:

Code:



   mov context.ContextFlags, CONTEXT_INTEGER 

   invoke GetThreadContext,DebugEvent.u.CreateProcessInfo.hThread, addr context

Here's values for ContextFlags (can be mixed up) for X86 CPU.

Code:



#define CONTEXT_CONTROL         CONTEXT86_CONTROL

#define CONTEXT_INTEGER         CONTEXT86_INTEGER

#define CONTEXT_SEGMENTS        CONTEXT86_SEGMENTS

#define CONTEXT_FLOATING_POINT  CONTEXT86_FLOATING_POINT

#define CONTEXT_DEBUG_REGISTERS CONTEXT86_DEBUG_REGISTERS

#define CONTEXT_FULL            CONTEXT86_FULL

Just take a closer look at Winnt.h (there's different values for different CPUs).

For exemple, if you specify CONTEXT_INTEGER, the value returned in CONTEXT struct will be:

Code:



ULONG Edi;

ULONG Esi;

ULONG Ebx;

ULONG Edx;

ULONG Ecx;

ULONG Eax

Hope it could help.

Regards, Neitsa.